1. Field of the Invention
The present invention relates to a cryptographic processing apparatus, a cryptographic processing method, and a storage medium storing a cryptographic processing program for encrypting or decrypting data which is to be subjected to cryptographic processing in units of blocks using secret keys, and especially to a cryptographic processing apparatus, a cryptographic processing program for improving security without greatly increasing hardware scale and processing time.
2. Description of the Prior Art
In recent years, as transferring of a variety of types of information and remittance by digital communication become widespread, there have been increasing needs for techniques which can improve security for protecting important information against attacks by third parties such as eavesdropping and information alteration. One technique for improving security is cryptography.
In communication systems using cryptography, an original communication text is referred to as xe2x80x9cplaintextxe2x80x9d, while a text converted from the plaintext, from which it is difficult for third parties to derive the plaintext, is referred to as xe2x80x9cciphertextxe2x80x9d. Conversion from the plaintext to the ciphertext is referred to as xe2x80x9cencryptionxe2x80x9d, while inverse conversion for restoring the original plaintext from the ciphertext is referred to as xe2x80x9cdecryptionxe2x80x9d.
The cryptographic content of ciphertext/plaintext is determined by an algorithm and a key which is a parameter of the algorithm. The algorithm specifies a conversion family composed of a plurality of conversions, while the key specifies one conversion out of the plurality of conversions in the conversion family. Generally, the algorithm corresponds to a fixed part in the apparatus, where the key is occasionally changed.
It is assumed that ciphertexts are apt to suffer from eavesdropping. An act by an unauthorized party such as an eavesdropper of decrypting a stolen ciphertext to obtain an original plaintext without the algorithm or the key is called xe2x80x9ccryptanalysisxe2x80x9d.
A third party who attempts to decrypt a ciphertext (hereinafter, xe2x80x9ccryptanalystxe2x80x9d) does so in the assumption that the ciphertext is known.
A cryptanalysis method in which a secret plaintext or key is derived only from a ciphertext is called xe2x80x9cciphertext-only attackxe2x80x9d. On the other hand, a cryptanalysis method in which a plurality of unspecified pairs of a ciphertext and a plaintext are used to determine a secret key, which is then used to obtain a plaintext corresponding to an arbitrary ciphertext, is called xe2x80x9cknown plaintext attackxe2x80x9d.
The pseudo-random-number-sum-type cryptography is described below as an example.
In this cryptographic processing method, a transmitter and a receiver share the same secret key which is used by each device as a seed to generate a random number of a predetermined number of bits (hereinafter, xe2x80x9cblockxe2x80x9d) in a random number generator, where the random number generators of both devices have the same algorithm. Then the transmitter generates a ciphertext by performing an exclusive-OR operation on the random number and a plaintext for each corresponding bit in units of blocks. On receiving thee ciphertext, the receiver generates the original plaintext by performing the an exclusive-OR operation on the random number and the ciphertext for each corresponding bit in units of blocks.
Here, when a block in the plaintext is represented as xe2x80x9cMxe2x80x9d a block in the ciphertext as xe2x80x9cCxe2x80x9d, the random number as xe2x80x9cRxe2x80x9d, and the exclusive-OR operation for each corresponding bit as xe2x80x9c(+)xe2x80x9d, the encryption can be described as the following xe2x80x9cFormula 1xe2x80x9d, the decryption as the following xe2x80x9cFormula 2xe2x80x9d:
C=M(+)R xe2x80x83xe2x80x83(Formula 1) 
M=C(+)R xe2x80x83xe2x80x83(Formula 2) 
A drawback with this cryptographic processing method is that, it is vulnerable against the xe2x80x9cknown-plaintext attackxe2x80x9d.
For instance, when a pair of a plaintext and a ciphertext is known concerning one block, the random number R can be obtained by the following xe2x80x9cFormula 3xe2x80x9d, and as a result the whole plaintext can be obtained:
Rxe2x88x92M(+)C xe2x80x83xe2x80x83(Formula 3) 
Accordingly, the cryptanalyst can decrypt the pseudo-random-number-sum-type ciphertext without difficulty by the known-plaintext attack.
Cryptographic processing methods which are relatively secure against the known-plaintext attack include Data Encryption Standard (DES) and Fast Data Encipherment Algorithm (FEAL). These methods are explained in detail in Eiji Okamoto An Introduction to Encryption Theory, published by Kyoritsu.
In these cryptography methods, data is intensely shuttled in units of block (64 bits per block). For example, in the DES algorithm, a process which combines transposition with substitution is repeated for sixteen stages.
Cipher Block Chaining mode (hereinafter, CBC mode) has been proposed in order to improve security or the DES methods against cryptanalysis and other unauthorized acts. The CBC mode is explained in detail in Nobuichi Ikeno and Kenji Koyama Modern Encryption Theory, published by Institute of Electronic Information and Communication (pp. 66-67).
FIG. 1 shows the construction of an encryption apparatus 30 which realizes the CBC mode.
The encryption apparatus 30 includes an exclusive-OR unit 301, a data encryption unit 302, and a register 303.
The register 303 stores one ciphertext block which was obtained immediately before processing a present plaintext block. It should be noted that an initial value IV of one block is set in advance for encrypting a first plaintext block.
The exclusive-OR unit 301 performs, for each corresponding bit, an exclusive-OR operation on the immediately preceding ciphertext block which is stored in the register 303 and the present plaintext block to be encrypted, and sends the obtained data to the data encryption unit 302. When encrypting the first plaintext block, an exclusive-OR operation is performed on the initial value IV and the first plaintext block for each corresponding bit.
The data encryption unit 302 encrypts the 64-bit data sent from the exclusive-OR unit 301 using the DES algorithm 64-bit key data.
Thus, the encryption apparatus 30 first performs an exclusive-OR operation on the initial value IV and the first plaintext block for each corresponding bit and encrypts the result using the 64-bit key data to obtain one ciphertext block. The encryption apparatus 30 then performs an exclusive-OR operation on the ciphertext block and a next plaintext block for each corresponding bit and encrypts the result to obtain another ciphertext block.
When a block in the plaintext is represented as xe2x80x9cMixe2x80x9d, a block in the ciphertext as xe2x80x9cCixe2x80x9d (i is a block number 2, 3, . . . ), the 64-bit key data as xe2x80x9cKxe2x80x9d, the encryption using the key data K as xe2x80x9cEkxe2x80x9d, and the exclusive-OR operation for each corresponding bit as xe2x80x9c(+)xe2x80x9d, the CBC mode can be described by the following xe2x80x9cFormula 4xe2x80x9d and xe2x80x9cFormula 5xe2x80x9d:
C1=Ek(M1(+)IV)xe2x80x83xe2x80x83(Formula 4) 
Ci=Ek(Mi(+)Cixe2x88x921)(i=2, 3)xe2x80x83xe2x80x83(Formula 5) 
In the CBC mode, each Ci depends un all ciphertext data preceding Ci, so that statistical characteristics of the plaintext are disturbed. As a result, the CBC mode is relatively secure against cryptanalysis and other unauthorized acts.
A drawback with the DES methods, the FEAL methods, the CBC mode in the DES methods and the like is that an algorithm is known and the length of a key is limited, so that it is possible to discovery the proper key by performing decryption using every possible key in the known plaintext attack. It should be noted here that each key of 64 bits in the DES methods includes 8 parity bits, so that the valid key length is 56 bits. Accordingly, the number of possible keys is 2.
When, as in DES methods, the key is around 56 bits long, it is believed that it would be possible with current technology to succeed in decoding by trying all possible keys, though this would require a tremendous cost. However, if encryption is performed in a multilevel manner using a plurality of separate keys, it would be impossible with the current technology to succeed in decoding by trying all possible keys.
On the other hand, in view of rapid improvement in the processing ability of computers in recent years, it is not unthinkable that in the future it may become possible to succeed in decoding by trying all possible keys despite the multilevel encryption.
Also, though the larger the scale of the multilevel encryption, the further the security of the system will improve, it is not desirable to simply make conventional encryption apparatuses perform encryption in multilevel, as it causes profound increases in hardware scale and processing time.
Conventional techniques which can improve the security of the CBC mode and the like without performing multilevel encryption are taught in JPN. 52-130504 (cryptographic apparatus) and JPN. 8-12537 (encryption apparatus). In the former reference, key data is renewed based on an immediately preceding cryptographic processing result such as a ciphertext and the renewed key is used for present cryptographic processing. In the latter reference, on the other hand, a plurality of intermediate keys which have been generated from an encryption key beforehand are each used for performing bit conversion in order to generate intermediate key renewal information, based on which each of the plurality of intermediate keys is renewed.
However, apparatuses such as the conventional cryptographic processing apparatuses described above are still not definitely secure against unauthorized attacks, thus leaving more room for improvement in the security of such systems.
In view of the above stated problems, it is an object of the present invention to provide a cryptographic processing apparatus, a cryptographic processing method, and a storage medium storing a cryptographic processing program, which can improve security without greatly increasing hardware scale and processing time.
The above object can be fulfilled by a cryptographic processing apparatus for performing cryptographic processing using input data to generate output data, including: a storage unit for storing chain data which in used for reflecting present cryptographic processing on the next cryptographic processing, and for renewing the chain data each time cryptographic processing is performed; a merging unit for merging the chain data stored in the storage unit with the input data to generate merged data; and a main cryptographic processing unit for performing main cryptographic processing using the merged data to generate the output data and for outputting intermediate data which is generated during a generation of the output data, wherein the storage unit renews the chain data by storing the intermediate data outputted by the main cryptographic processing unit as the new chain data, which is used for the next cryptographic processing.
With the stated construction, the intermediate data generated during the cryptographic processing is stored as the chain data, which is merged with the input data such as key data or cryptographic-processing object data which is to be subjected to the cryptographic processing next time the cryptographic processing is performed. By doing so, the chain data is renewed each time the cryptographic processing is performed, so that each set of output data will depend on all preceding data. Accordingly, statistical characteristics of the plaintext are disturbed by each chain data, making the cryptanalysis difficult without greatly increasing the hardware scale and the processing time. Also, even if a cryptanalyst obtains a pair of a ciphertext and a plaintext, it will practically be impossible to obtain chain data used for the cryptographic processing. In addition, since an algorithm for generating the chain data and an initial value of the chain data are secret, the cryptanalysis by the known-plaintext attack becomes further difficult, and so does cryptanalysis by trying all possible keys.
As a result, it is possible to improve security of the cryptography without greatly increasing the hardware scale and the processing time.